Skip to content

Outbound email for Google Workspace

You can set up Sophos Gateway to handle outbound email with Google Workspace (formerly Google G Suite).

Note

The following instructions are taken from Google's Set up an outbound mail gateway help on February 12, 2021. We recommend you check the Google help page for updates before changing your email configuration.

To configure outbound scanning from your Google Workspace account, do as follows:

  1. Sign in to Sophos Central.
  2. Click Email Security > Settings > Domain Settings /Status.
  3. Select your domain.
  4. Select Inbound and Outbound as the direction under Configure Domain.
  5. In the Outbound Gateway drop-down list, select Google Apps Gmail.
  6. Click Save.
  7. Then click Configure External Dependencies.
  8. Click Outbound Settings.
  9. Copy the Outbound Relay Host address.
  10. Sign in to your Google Admin Console.
  11. Go to Apps > Google Workspace > Gmail > Advanced Settings.
  12. In the Organizations section, select the top-level organization.
  13. Scroll to the Outbound gateway setting in the Routing section, and paste the outbound relay host address you copied earlier.
  14. Click Save.

Note

Changes may take several minutes to propagate.

Updating the SPF record for your domain

If you authenticate outgoing email using an SPF record or DKIM, you may need to update your configuration.

Your organization should already have an SPF record for your domains registered with Google Workspace. You need to update this record in the DNS zone for the relevant domain.

You can replace your existing SPF record or add to it, depending on your requirements.

It's normal to replace the record. However, if your outbound email is being routed through Sophos Gateway and Google Workspace simultaneously for a period, you can add an include statement for Sophos Gateway to your existing SPF record.

You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.

  • Hard fail:

    You can use a dash (-) before the all parameter for a "hard fail". If your mail isn't sent from Sophos Gateway, and your recipients' mail servers carry out SPF checks, they'll reject your mail.

  • Soft fail:

    You can use a tilde (~) before the all parameter instead, for a "soft fail". The command doesn't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.

Sophos SPF domains

When you replace or add to your SPF record you must use one of the Sophos domains.

You can use _spf.prod.hydra.sophos.com which is common to US (West), US (East), Germany and Ireland.

You can also use the specific domain for the Sophos data center for your region.

Warning

You may get the error "SPF PermError: too many DNS lookups" after changing your SPF record. To solve this, use the specific domain for the Sophos data center for your region instead of _spf.prod.hydra.sophos.com.

For more details, see Prevent SPF PermError: too many DNS lookups

To find out which specific domain to use, see Sophos SPF domains.

Replacing your SPF record

If your outbound email is only routed through Sophos Gateway you can use the Sophos Gateway SPF record.

  • Remove v=spf1 include:spf.protection.outlook.com –all.
  • If you're certain that you don't have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Gateway, you can set your record to:

    v=spf1 include:_spf.prod.hydra.sophos.com -all

  • If you aren't routing all your email through us, or you're unsure, use a soft fail:

    v=spf1 include:_spf.prod.hydra.sophos.com ~all

Adding to your SPF record

If your outbound email is being routed through Sophos Gateway and Google Workspace simultaneously for a period, you can leave the original SPF record, and add an include statement for Sophos Gateway.

  • To use an include statement to add the Sophos Gateway record to your existing record, do as follows:

    Existing SPF: v=spf1 include:spf.protection.outlook.com -all

    Example with include: SPF: v=spf1 include:spf.protection.outlook.com include:_spf.prod.hydra.sophos.com -all

We recommend you replace your include statement with the Sophos Gateway SPF record when all your outbound email is routed through us.

Confirm that outbound mail is flowing by sending an outbound mail to an external address.

To confirm that the email has been sent, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Email Security > Logs and Reports > Message History.
  3. Change the direction to outbound.
  4. Refresh the screen until you can see the details of the test email you have sent.
Back to top